Home/HIPAA Compliance

Compliance

HIPAA Compliance

Med Clinic X is designed from the ground up to support HIPAA-aligned operations. This page describes how we implement the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule to protect Protected Health Information (PHI).

Effective Date: January 1, 2025

Last Updated: June 1, 2026

Our Role Under HIPAA

As a Business Associate

When we process PHI on behalf of a healthcare provider (Covered Entity), we act as a Business Associate. We execute a Business Associate Agreement (BAA) with every clinic client, defining our obligations, permitted uses of PHI, and breach notification responsibilities.

As a Technology Provider

As the technology provider powering the patient portal, we are responsible for the technical and physical safeguards that protect PHI at the infrastructure level — encryption, access control, audit logging, and secure hosting.

HIPAA Safeguards

Administrative Safeguards

Designated HIPAA Security Officer and Privacy Officer

Annual HIPAA training for all staff with access to PHI

Documented policies and procedures for PHI handling

Background checks for personnel with PHI access

Documented sanction policy for policy violations

Risk analysis and risk management program

Contingency plan for data breaches and disaster recovery

Business Associate Agreements (BAAs) with all sub-processors

Physical Safeguards

PHI hosted exclusively on HIPAA-eligible cloud infrastructure (AWS)

Data centers with SOC 2 Type II certifications

No PHI stored on local workstations or removable media

Workstation use policies requiring automatic screen lock

Secure disposal procedures for any physical media

Controlled facility access to data infrastructure

Technical Safeguards

AES-256 encryption for all PHI at rest

TLS 1.3 encryption for all data in transit

Role-Based Access Control (RBAC) — minimum necessary access

Multi-Factor Authentication (MFA) available for all accounts

Automatic session timeout after inactivity

Complete audit logging of all PHI access events

Unique user identification for every platform account

Encrypted database backups with tested recovery procedures

API security with signed, expiring tokens

Your HIPAA Rights

Under the HIPAA Privacy Rule, you have the following rights with respect to your Protected Health Information. These rights apply to PHI held by your healthcare provider and, where applicable, to Med Clinic X as their Business Associate.

Right of Access

You have the right to inspect and obtain a copy of your PHI maintained by your healthcare provider. Request it through your patient portal or directly from your clinic. We process access requests within 30 days.

Right to Amendment

If you believe your PHI is inaccurate or incomplete, you have the right to request an amendment. Amendments are documented and attached to the original record; the original is preserved as required by HIPAA.

Right to an Accounting of Disclosures

You can request a report of disclosures of your PHI made outside of treatment, payment, and healthcare operations for the 6 years prior to the date of your request.

Right to Restrict Disclosures

You may request restrictions on how your PHI is used or disclosed. While we are not always required to agree, we will accommodate reasonable requests and document all agreed restrictions.

Right to Confidential Communications

You may request that we communicate with you about your PHI by alternative means or to an alternative location — for example, by phone only at your work number rather than your home address.

Right to a Paper Copy of Privacy Notice

You have the right to receive a paper copy of this HIPAA Compliance Notice upon request, even if you have agreed to receive it electronically. Contact us at privacy@medclinicx.com to request a copy.

Business Associate Agreements

Med Clinic X executes a Business Associate Agreement (BAA) with every healthcare provider that uses our Platform. The BAA defines:

The permitted uses and disclosures of PHI by Med Clinic X

Our obligation to implement appropriate safeguards

Requirements for reporting breaches and security incidents

Procedures for returning or destroying PHI upon contract termination

Sub-contractor BAA requirements for all downstream processors

Healthcare providers wishing to execute a BAA should contact us at compliance@medclinicx.com.

Breach Notification Protocol

In the event of a breach of unsecured PHI, we follow a structured response protocol in compliance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

Detection

Our automated monitoring systems detect anomalies and potential breaches 24/7, triggering immediate alerts to our security team.

Containment

Within hours of detection, we contain the incident, preserve evidence, and prevent further unauthorized access.

Assessment

We assess the nature of the breach, which PHI was affected, and who was impacted — within 48 hours of discovery.

Notification

Affected individuals are notified within 60 days. HHS is notified per HIPAA requirements. If 500+ patients are affected, media notification is provided.

Remediation

We implement corrective measures, update policies, and conduct additional staff training to prevent recurrence.

PHI Retention Requirements

6 yearsHIPAA policies, procedures, and BAAs

6 yearsAudit logs and access records

7 yearsPatient health records (minimum, from last date of service)

10 yearsMinor patient records (from age of majority)

30 daysVoice command transcriptions (then auto-deleted)

Important Note for Healthcare Providers

While Med Clinic X implements HIPAA-aligned infrastructure and supports HIPAA compliance, ultimate responsibility for HIPAA compliance remains with the Covered Entity (your clinic). Compliance requires proper configuration, staff training, and operational policies on your part. Contact our compliance team for implementation guidance.

HIPAA or compliance questions?

Contact our Compliance team at compliance@medclinicx.com or request a BAA at legal@medclinicx.com